French Company Incurs €250K Fine for Data Leak

A French company has incurred a fine of 250,000 euros for a significant data leak that might have exposed customers’ sensitive personal information.

On 7 June, France’s data privacy regulatory body Commission nationale de l’informatique et des libertés (CNIL) published a statement about a data leak of which it learned in July 2017. An English translation of the notice revealed that the security incident affected the website of a French company called Optical Center:

An on-site inspection was carried out on the premises of OPTICAL CENTER, during which [the company] acknowledged that [its] website did indeed have a security defect. In this case, the site www.optical-center.fr did not include functionality to verify that a customer is well connected to his personal space (“customer area”) before displaying his invoices. It was thus relatively simple to access documents from another client of the company.

Those documents contained customers’ names, physical addresses, medical data and in some cases their Social Security Numbers.

At the time of discovery, 334,000 documents were available in Optical Center’s database.

The European Union’s General Data Protection Regulation (GDPR) was not in effect at the time of CNIL’s learning of the security incident. But the data leak did violate applicable French law.

Subsequently, CNIL imposed a fine of 250,000 euros. That penalty reflected Optical Center’s need to restrict invoice access to a reserved space along with the company receiving another sanction of 50,000 euros for another security defect discovered in 2015.

CNIL made its decision in spite of the fact that Optical Center approached its website provider to remediate the security incident on the same day the Commission alerted it.

Ultimately, CNIL went public with the fine due to the sensitivity of the information exposed, the number of clients potentially compromised and the total volume of documents available on Optical Center’s website.